// 评语 API 处理器 — 老师点评学生日记

use axum::extract::{Extension, FromRef, Path, State};
use axum::http::StatusCode;
use axum::response::Json;
use uuid::Uuid;
use validator::Validate;

use erp_core::error::AppError;
use erp_core::rbac::require_permission;
use erp_core::types::{ApiResponse, TenantContext};

use crate::dto::{CommentResp, CreateCommentReq};
use crate::service::comment_service::CommentService;
use crate::state::DiaryState;

#[utoipa::path(
    post,
    path = "/api/v1/diary/journals/{journal_id}/comments",
    params(("journal_id" = Uuid, Path, description = "日记ID")),
    request_body = CreateCommentReq,
    responses(
        (status = 201, description = "点评成功", body = ApiResponse<CommentResp>),
        (status = 400, description = "验证失败或内容安全检查未通过"),
        (status = 401, description = "未授权"),
        (status = 403, description = "权限不足或不是本班老师"),
        (status = 404, description = "日记不存在"),
    ),
    security(("bearer_auth" = [])),
    tag = "评语管理"
)]
/// POST /api/v1/diary/journals/:journal_id/comments
///
/// 老师点评日记。需要 `diary.comment.write` 权限。
/// 仅本班老师可以点评，私密日记不允许点评。
pub async fn create_comment<S>(
    State(state): State<DiaryState>,
    Extension(ctx): Extension<TenantContext>,
    Path(journal_id): Path<Uuid>,
    Json(req): Json<CreateCommentReq>,
) -> Result<(StatusCode, Json<ApiResponse<CommentResp>>), AppError>
where
    DiaryState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
{
    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;
    require_permission(&ctx, "diary.comment.write")?;

    if req.content.trim().is_empty() {
        return Err(AppError::Validation("评语内容不能为空".to_string()));
    }

    let resp = CommentService::create_comment(
        ctx.tenant_id,
        ctx.user_id,
        journal_id,
        req.content,
        &state.db,
        &state.event_bus,
    )
    .await?;

    Ok((StatusCode::CREATED, Json(ApiResponse::ok(resp))))
}

#[utoipa::path(
    get,
    path = "/api/v1/diary/journals/{journal_id}/comments",
    params(("journal_id" = Uuid, Path, description = "日记ID")),
    responses(
        (status = 200, description = "成功", body = ApiResponse<Vec<CommentResp>>),
        (status = 401, description = "未授权"),
        (status = 403, description = "权限不足"),
    ),
    security(("bearer_auth" = [])),
    tag = "评语管理"
)]
/// GET /api/v1/diary/journals/:journal_id/comments
///
/// 获取日记评语列表。需要 `diary.journal.read` 权限。
pub async fn list_comments<S>(
    State(state): State<DiaryState>,
    Extension(ctx): Extension<TenantContext>,
    Path(journal_id): Path<Uuid>,
) -> Result<Json<ApiResponse<Vec<CommentResp>>>, AppError>
where
    DiaryState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
{
    require_permission(&ctx, "diary.journal.read")?;

    let resp = CommentService::list_comments(ctx.tenant_id, journal_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(resp)))
}

#[utoipa::path(
    delete,
    path = "/api/v1/diary/comments/{comment_id}",
    params(("comment_id" = Uuid, Path, description = "评语ID")),
    responses(
        (status = 200, description = "删除成功"),
        (status = 401, description = "未授权"),
        (status = 403, description = "权限不足或不是评语作者"),
        (status = 404, description = "评语不存在"),
    ),
    security(("bearer_auth" = [])),
    tag = "评语管理"
)]
/// DELETE /api/v1/diary/comments/:comment_id
///
/// 删除评语。仅评语作者可以删除自己的评语。需要 `diary.comment.delete` 权限。
pub async fn delete_comment<S>(
    State(state): State<DiaryState>,
    Extension(ctx): Extension<TenantContext>,
    Path(comment_id): Path<Uuid>,
) -> Result<Json<ApiResponse<()>>, AppError>
where
    DiaryState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
{
    require_permission(&ctx, "diary.comment.delete")?;

    CommentService::delete_comment(ctx.tenant_id, ctx.user_id, comment_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(())))
}